Purple Team Exercise Framework Created and Provided to the Community by: SCYTHE & Jorge Orchilles, CTO © 2020 SCYTHE Inc. Executive Summary 2 Goals 3 Methodology 3 Roles and Responsibilities 4 Sponsors 5 Cyber Threat Intelligence 5 Red Team 5 Security Operations Center (Blue Team) 6 Hunt Team (Blue Team) 6 Digital Forensics & Incident Response (Blue Team) 6 Cyber Threat Intelligence 7 Understand the Target Organization 7 Identify the Adversary to Emulate 7 Gather Cyber Threat Intelligence 8 Extract TTPs 9 Analyze and Organize 10 Table Top TTPs with Managers 10 Create an Adversary Emulation Plan 11 Preparation 12 Logistics 12 Target Systems 13 Security Tools 13 Target Accounts 13 Attack Infrastructure 14 External Infrastructure 14 Internal Infrastructure 14 Red Team Preparation 14 Blue Team Preparation 15 Exercise Execution 16 Kick Off 16 Exercise Flow 16 Tracking Exercise 17 Lessons Learned 18 Tracking Action items 18 Retesting 18 About SCYTHE 18 Purple Team Exercise Framework (PTEF) © 2020 SCYTHE Inc. 1 Executive Summary This document defines a ​Purple Team Exercise Framework (PTEF) ​to facilitate the creation of a formal Purple Team Program by performing adversary emulations as ​Purple Team Exercises and/or ​Continuous Purple Teaming Operations​. A Purple Team is a virtual team where the following teams work together: ● ● ● Cyber Threat Intelligence - team to research and provide threat TTPs Red Team - offensive team in charge of emulating adversaries Blue Team - the defenders. Security Operations Center (SOC), Hunt Team, Digital Forensics and Incident Response (DFIR), and/or Managed Security Service Provides (MSSP) While Red Team Engagements are considered “zero knowledge” engagements, where Blue Teams are unaware of the adversary emulation prior to or during the engagement, a ​Purple Team Exercise​ is a full knowledge engagement where the attack activity is exposed and explained to the Blue Team as it occurs. Purple Team Exercises are "hands-on keyboard" exercises where Red and Blue teams work together with an open discussion about each attack technique and defense expectation to improve people, process, and technology in real-time. Purple Team Exercises are Cyber Threat Intelligence led, emulating Tactics, Techniques, and Procedures (TTPs) leveraged by known malicious actors actively targeting the organization to identify and remediate gaps in the organization’s security posture. At a high level, a Purple Team Exercise is executed with the following flow: 1. Cyber Threat Intelligence, Exercise Coordinator, or Red Team presents the adversary, TTPs, and technical details 2. Attendees have a table-top discussion of security controls and expectations for TTP 3. Red Team emulates the TTP 4. Blue Team (SOC and Hunt team) and DFIR analysts follow process to detect and respond to TTP 5. Share screen if TTP was identified, received alert, logs, or any forensic artifacts 6. Document results - what worked and what did not 7. Perform any adjustments or tuning to security controls to increase visibility 8. Repeat TTP 9. Document any feedback and/or additional Action Items for Lessons Learned 10. Repeat from step 1 for next TTP Purple Team Exercise Framework (PTEF) © 2020 SCYTHE Inc. 2 Goals Purple Team Exercises are triggered by specific needs that arise to train Red and Blue Team members or improve process or technology with the end goal of increasing resilience to current threats. Once the trigger or need for a Purple Team Exercise is identified, specific goals should be defined and documented which then can be leveraged to drive the planning process. Purple Team Exercises may be triggered for one or more of the following reasons: ● ● ● ● ● ● ● Test attack chains against a target organization Train the organization’s defenders (Blue Team) Test TTPs that have not been tested before in the organization Test the processes between security teams Preparation for a zero-knowledge Red Team Engagement Red Team reveal or replay after a zero-knowledge Red Team Engagement Foster a collaborative culture within the security organization Methodology Purple Team Exercises follow similar methodologies as zero-knowledge Adversary Emulations. Purple Team Exercises are Cyber Threat Intelligence led, emulating Tactics, Techniques, and Procedures (TTPs) leveraged by known malicious actors actively targeting the organization to identify and remediate gaps in